tachtler:ssh
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:ssh [2012/08/29 11:11] – [Konfiguration SSH-Client] klaus | tachtler:ssh [2014/10/01 16:19] (aktuell) – [Public-Key Authentifizierung] klaus | ||
---|---|---|---|
Zeile 55: | Zeile 55: | ||
Die folgende Konfigurationsdatei des SSH-Daemons wurde auf höhere Sicherheitsbedürfnisse angepasst. | Die folgende Konfigurationsdatei des SSH-Daemons wurde auf höhere Sicherheitsbedürfnisse angepasst. | ||
<code ini> | <code ini> | ||
- | + | # | |
- | # | + | |
# This is the sshd server system-wide configuration file. See | # This is the sshd server system-wide configuration file. See | ||
Zeile 70: | Zeile 69: | ||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
- | AcceptEnv LC_IDENTIFICATION LC_ALL | + | AcceptEnv LC_IDENTIFICATION LC_ALL |
- | AllowUsers | + | AcceptEnv XMODIFIERS |
+ | AllowUsers | ||
+ | AddressFamily inet | ||
Banner / | Banner / | ||
ChallengeResponseAuthentication no | ChallengeResponseAuthentication no | ||
- | GSSAPIAuthentication | + | GSSAPIAuthentication |
GSSAPICleanupCredentials yes | GSSAPICleanupCredentials yes | ||
- | | + | |
+ | HostKey / | ||
+ | ListenAddress 192.168.0.10: | ||
+ | ListenAddress 127.0.0.1: | ||
+ | MaxAuthTries 12 | ||
Protocol 2 | Protocol 2 | ||
Subsystem | Subsystem | ||
SyslogFacility AUTHPRIV | SyslogFacility AUTHPRIV | ||
- | UsePAM | + | UsePAM |
+ | UsePrivilegeSeparation sandbox | ||
X11Forwarding yes | X11Forwarding yes | ||
- | # Settings for " | + | # Settings for Key-Authorization |
AuthorizedKeysFile %h/ | AuthorizedKeysFile %h/ | ||
- | PasswordAuthentication no | + | PasswordAuthentication no |
- | PermitRootLogin no | + | PermitRootLogin no |
PermitEmptyPasswords no | PermitEmptyPasswords no | ||
- | RSAAuthentication no | + | RSAAuthentication no |
Zeile 293: | Zeile 298: | ||
# | # | ||
- | # HostKey | + | # HostKey |
# Specifies a file containing a private host key used by SSH. The | # Specifies a file containing a private host key used by SSH. The | ||
# default is / | # default is / | ||
Zeile 661: | Zeile 666: | ||
<code ini> | <code ini> | ||
- | # | + | # |
# This is the ssh client system-wide configuration file. See | # This is the ssh client system-wide configuration file. See | ||
Zeile 685: | Zeile 690: | ||
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
- | SendEnv LC_IDENTIFICATION LC_ALL | + | SendEnv LC_IDENTIFICATION LC_ALL |
+ | SendEnv XMODIFIERS | ||
# Host Restricts the following declarations (up to the next Host key- | # Host Restricts the following declarations (up to the next Host key- | ||
Zeile 1430: | Zeile 1436: | ||
Hier ein Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, | Hier ein Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, | ||
< | < | ||
- | # ssh-keygen -b 4096 -t rsa -C username@rechner.tld | + | ssh-keygen -b 4096 -t rsa -C username@rechner.tld |
Generating public/ | Generating public/ | ||
- | Enter file in which to save the key (/ | + | Enter file in which to save the key (/home/ |
- | Created directory '/ | + | Enter passphrase (empty for no passphrase): |
- | Enter passphrase (empty for no passphrase): | + | Enter same passphrase again: |
- | Enter same passphrase again: | + | Your identification has been saved in /home/ |
- | Your identification has been saved in / | + | Your public key has been saved in /home/ |
- | Your public key has been saved in / | + | |
The key fingerprint is: | The key fingerprint is: | ||
- | a1:a3:bc:35:a2:d0:22:99:73:72:3b:96:31:65:42:14 username@rechner.tld | + | f7:34:69:ce:d6:28:a5:72:78:a7:0b:7d:16:8d:f6:f6 username@rechner.tld |
+ | The key's randomart image is: | ||
+ | +--[ RSA 4096]----+ | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | | | ||
+ | | S . X . | | ||
+ | | + X * | | ||
+ | | + * X + | | ||
+ | | = B . . | | ||
+ | | o. E| | ||
+ | +-----------------+ | ||
</ | </ | ||
+ | |||
+ | Hier ein weiteres Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, | ||
+ | < | ||
+ | $ ssh-keygen -b 256 -t ecdsa -C username@rechner.tld | ||
+ | Generating public/ | ||
+ | Enter file in which to save the key (/ | ||
+ | Enter passphrase (empty for no passphrase): | ||
+ | Enter same passphrase again: | ||
+ | Your identification has been saved in / | ||
+ | Your public key has been saved in / | ||
+ | The key fingerprint is: | ||
+ | 17: | ||
+ | The key's randomart image is: | ||
+ | +--[ECDSA | ||
+ | | | | ||
+ | | | | ||
+ | | o o . | | ||
+ | |.o B . + . . | | ||
+ | |o.= = o.S.. | | ||
+ | |o o E o. | | ||
+ | |. . . | ||
+ | | +. . o . . | | ||
+ | |o.. . . . | | ||
+ | +-----------------+ | ||
+ | </ | ||
+ | |||
+ | :!: **ACHTUNG** - **Aufgrund der Inkompatibilität von ECDSA-Schlüssel zu OpenSSH-Version __VOR__ Version 5.7, sollte der Einsatz genau geprüft werden. Auch wurde das Unterverfahren NIST mit Unterstützung der NSA erstellt !!!** | ||
=== " | === " |
tachtler/ssh.1346231519.txt.gz · Zuletzt geändert: 2012/08/29 11:11 von klaus